These attacks occurred on 87,901 unique domain names, of which 22,679 were found to have been registered maliciously, mostly by Chinese phishers. The other 59,485 domains were almost all hacked or compromised domains.

Other key findings of the report:

Apple became the world’s most-phished brand, with 21,951 attacks (17.7% of all attacks). PayPal was second with 17,811 attacks (14.4%), and Taobao.com third (16,418 attacks, or 13.2%).

The introduction of new top-level domains (TLDs) did not have an immediate major impact on phishing. Phishing occurred in 227 TLDs, but 90% of the malicious domain registrations (20,565) were in just five: .com, .tk, .pw, .cf., and .net. Only a small number of phishing attacks were seen in the new generic top-level domains (gTLDs), such as .agency, .center, and .company, launched in early 2014.

The average uptimes of phishing attacks – 32 and a half hours – remain near historic lows, indicating that anti-phishing responders are having some success.

The companies (brands) targeted by phishing targets were diverse, and there were many new targets, indicating that cyber criminals are looking for new opportunities in new places. The reports notes that “any enterprise with an online presence can be a phishing target – if a site takes in personal data, then there may be phishers who want to exploit it.”

Christmas is the perfect time to phish, as our infographic shows:

If you’re concerned about your employees’ susceptibility to a phishing attack, you might be interested in IT Governance’s Employee Phishing Vulnerability Assessment. It will identify potential vulnerabilities among your employees and provide recommendations to improve your security, enabling you to have a broad understanding of how you are at risk, and what you need to do to address these risks.

You may also want to consider the Information Security and ISO 27001 Staff Awareness E-learning Course, which raises awareness of phishing attacks and other important information security issues, helping you reduce your organization’s exposure to security failures. Aligned with ISO 27001 – the information security standard – this course will teach your staff international cybersecurity best practices.